Privacy Policy

This Privacy Policy explains how XMS QUEST SRL ("Company", "we", "us", or "our") collects, uses, stores, and protects personal data when you access or use DCA, a software-as-a-service platform available at https://dca.xms.quest (the "Service").

This Privacy Policy forms an integral part of our Terms of Service and applies to all users in the European Union, United States, and other jurisdictions, subject to applicable law.

1. Data Controller

Company: XMS QUEST SRL
Registered address: Str. Occidentului 71, Bl. 1, Sc. A, Ap. 25, Cod 077160, Romania
Email (privacy matters): bogdan@xms.quest

2. Scope of This Privacy Policy

The DCA web application
Related services, communications, and support interactions
Users accessing the Service from the EU, US, and other regions

The Service is intended for a general audience.

Minors may use the Service only under the supervision of a parent or legal guardian. We do not knowingly collect personal data from children without such supervision.

3. Categories of Personal Data We Collect

3.1 Identification and Account Data

Name
Email address
Hashed password

Purpose: Account creation, authentication, service delivery.

3.2 Financial and Billing Data

Payment-related data required to process subscriptions

Important: We do not store payment card details. Payments are processed securely by Stripe.

3.3 Usage and Technical Data

Payment status events
System and security logs
Device and browser metadata (to the extent required for security)

3.4 Communications

Emails and support messages you send to us

4. Purposes and Legal Bases for Processing (EU & US)

We process personal data only where legally permitted.

EU (GDPR – Article 6)

PurposeLegal Basis

Account creation & service deliveryPerformance of a contract

Billing & subscriptionsPerformance of a contract

Security & fraud preventionLegitimate interest

Legal & tax complianceLegal obligation

Non-essential communicationsConsent (where required)

US Legal Basis

For US users, we process personal data based on:

Contractual necessity
Legitimate business purposes
Compliance with legal obligations

5. Cookies and Tracking Technologies

We use essential cookies only, strictly necessary for:

Authentication
Session management
Security and fraud prevention

We do not use:

Marketing cookies
Behavioral advertising cookies
Analytics cookies (at present)

If this changes, we will update this policy and obtain consent where required.

6. Third-Party Processors and Service Providers

We share personal data only with trusted third-party providers acting as data processors, including:

ProviderPurpose / Location

StripePayments (EU / US)

Amazon SESTransactional emails (EU)

SnapTradeBroker integrations (Canada)

AlphaVantageFinancial data (USA)

ContaboCloud hosting (EU)

MongoDBDatabase infrastructure (USA)

All processors are contractually required to:

Process data only on our instructions
Apply appropriate security measures
Comply with applicable data protection laws

7. International Data Transfers

Where personal data is transferred outside the European Union, we rely on:

Standard Contractual Clauses (SCCs), or
Other lawful transfer mechanisms recognized under GDPR

8. Data Retention

We retain personal data only as long as necessary:

Data CategoryRetention

Account dataUntil account deletion

Logs & security data30–90 days

Billing recordsAs required by law

Broker-related dataUntil user deletion

Portfolio dataUpdated at each login

9. Your Rights

EU Users (GDPR)

You have the right to:

Access
Rectification
Erasure
Restriction
Portability
Objection
Withdraw consent

US Users (CCPA/CPRA-aligned)

Where applicable, you may have the right to:

Know what personal data we collect
Request deletion
Request correction
Opt out of certain data sharing (if applicable)

We do not sell personal data.

Exercising Your Rights

Email: bogdan@xms.quest

Response time: within 30 days

10. Automated Processing and Profiling

The Service displays financial indicators (e.g., P/E, P/B, ROA, ROE, dividend estimates) using predefined thresholds and visual indicators. These:

Are informational only
Do not produce legal or similarly significant effects
Do not constitute financial, investment, or trading advice

No automated decision-making under GDPR Article 22 is performed.

11. Security Measures

We implement technical and organizational safeguards appropriate to the risk, including:

Password hashing and encryption
Role-based access controls
Restricted production access
Logging and monitoring
Incident detection and response procedures

12. Personal Data Breaches

In the event of a personal data breach:

We will assess the incident promptly
Notify the relevant supervisory authority within 72 hours where required
Notify affected users where there is a high risk to rights and freedoms

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be communicated via email and reflected by an updated "Last updated" date. Continued use of the Service constitutes acceptance of the updated policy.

14. Complaints and Supervisory Authorities

EU

You may lodge a complaint with your local data protection authority.

Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

US

You may contact us directly regarding privacy concerns. We will respond in accordance with applicable US law.

15. Contact

For privacy-related questions or requests:

bogdan@xms.quest